How hackers will jailbreak the iPhone 5

Share This article

Starting tomorrow, some of the world’s most tenacious hackers will begin the tricky task of jailbreaking the iPhone 5. To date, every single iPhone has been cracked wide open by hackers, blazing the trail for tethered and eventually untethered jailbreaks. Every year, Apple releases new products with increasingly complex security measures — and yet, without fail, they fall to the increasingly tenacious attacks of Apple hackers.

How does a hacker jailbreak an iPhone or iPad, though? Well, I’m glad you asked, because the answer is rather interesting.

Defining the problem

To begin with, hackers aren’t interested in hacking the iPhone 5 itself — they’re actually looking for a flaw in iOS 6 and the A6 SoC, both of which are brand new and relatively unknown. In the iPhone 4S’s case, it withstood hacking attempts for months — much longer than any other Apple device — before it finally fell.

To create an untethered jailbreak for the iPhone 5, hackers will first have to find an exploit in the iOS 6 kernel, and then they’ll have to work out a way of circumventing the hardware-level security provided by the SoC so that they can inject arbitrary, unsigned code into the boot ROM — the first code that is executed when an iDevice is powered on. This custom code will disable the iDevice’s security features, allowing you to install non-App Store programs, such as Cydia. Voila, one jailbroken iPhone.

Finding a kernel exploit

On something like a Linux PC, where you have full access to the source code and the ports on the back of the computer, finding a kernel exploit is relatively easy — it’s just a case of painstaking analysis, leaving no stone unturned. iOS’s source code is closed, however (though XNU, which it is based on, is open source), and the hardware is relatively locked down.

In the case of iOS 4 and 5, both of which have been jailbroken, the kernel has a built-in debugger — a tool that spits out a lot of information about the kernel’s behavior, so that Apple’s internal software team can find and squash bugs. This debugger is only accessible via serial connection, however — and obviously, the iPhone doesn’t have a serial connector on the bottom. Or does it?

It turns out that the old 30-pin Apple connector actually has two pins set aside for serial communications — and to use them, all you have to do is solder together a few simple components that can be bought for around $30.

With the home-brew cable made, an Apple hacker can open a serial connection with the iDevice, gaining access to the kernel debugger. Once you have access to the kernel debugger, it’s a matter of finding an exploit — a flaw in the kernel that can be used to gain root access to the device. This step is incredibly complicated, requiring a vast amount of software expertise. For more info, hit up Stefan Esser’s excellent Black Hat and CanSecWest [PDF] presentations on iOS kernel exploitation.

Tethered or untethered?

Once you’ve found a kernel exploit and gained root access, you have achieved a tethered jailbreak. If the hacker can also find a vulnerability in the device’s hardware-level security (as Limera1n did with A4-based iDevices), then the exploit can be loaded into the boot ROM and executed every time the device is powered on — an untethered jailbreak.

In the case of Apple’s A5 SoC, which debuted in the iPad 2 in March 2011, it took ten months to find an exploit that would allow an untethered jailbreak. In the words of a Chronic Dev Team spokesperson: “I don’t know if any iOS hacker anticipated how much the A5 chip would completely change the game & up the stakes. The endless war we fight to jailbreak has become more & more difficult with each new device released, and our recent battle against A5 only proved this further.”

Jailbreaking the iPhone 5 and A6 SoC

The iPad 2 and iPhone 4S, powered by the A5 SoC, were by far the hardest iDevices to crack — previous devices usually only lasted a few days or weeks. This was partly because Apple is continually working to thwart would-be hackers — and also because Apple hired Nicholas Allegra (aka Comex), one of the key members of the iDevice hacking community. Not only did this slow down the jailbreaking of the A5, but more importantly Comex will have spent the last year hardening the A6 SoC against as many attack vectors as possible.

There’s the matter of the new Lightning connector, too. I suspect it doesn’t have dedicated serial pins, which will add another layer of complexity that will need to be reverse engineered by the iDevice hackers. The is one possible glimmer of hope in that iOS 6 has already been jailbroken — but only on antiquated A4-based devices (iPhone 3GS/4), and it’s still only a tethered jailbreak.

Will the A6 fall? Will the iPhone 5 be jailbroken? If history has taught us anything it’s that nothing is truly secure. Given enough man hours, an exploit will be found.

Apple doesn’t need to make the iPhone 5 completely secure, though — it just needs to last a couple of generations, until the next upgrade cycle. Given Apple’s continued investment in security and the news that the A6 SoC features a highly customized in-house design, I wouldn’t be surprised if the iPhone 5 remains unjailbroken for a long time to come.

Updated: This story has been updated slightly to more accurately reflect some nuances of iOS hacking.

Tagged In

Post a Comment

“On something like a Linux PC,
where you have full access to the source code and the ports on the back
of the computer, finding a kernel exploit is relatively easy”

Except that it isn’t.

http://www.mrseb.co.uk/ Sebastian Anthony

Relatively!

Gaylord

Fixed that for ya

“where you have full access to the source code and the ports on the back
of the computer, |searching for| a kernel exploit is relatively easy”

Anyway Kerckoff principle is nonsense to you?

AndyDontCare

For jailbreaker, I bet it would be easy.

Chris Hoffman

s/hack/crack/g

http://profiles.google.com/darren.meyer Darren Meyer

Cracking is a kind of hacking; it’s just that not all hackers are malicious (or even “breakers”).

Michael Garrett

My guess is that those serial pins will just have to be accessed with wires soldered to the phone’s internal logic board, but they still exist.

http://pulse.yahoo.com/_QDDG3BG4K2E2EUF3NE5XNUCD2I Mattie

The real problem is that you present your opinion as a fact plus without citing any sources ­Fox46­.­com

Xplorer4x4

It seems a bit extreme, imo. to think that techs would be forced to do soldering in store to get debugging out put. However, I could see some sort of internal serial port that techs can easily jack in to. Weather it would be straight forward for the iHackers to jack in to is another matter though.

Michael Garrett

I wasn’t aware Apple techs actually diagnosed problems in-store. My assumption was that they just ordered a new device whenever something went wrong, no questions asked.
I was really addressing the OS designers who would normally be testing their code on a beta version of the phone and would need quick access to the internals of the phone. Only they would have the phone in its full, naked glory.

http://twitter.com/geekinit geekinit

Perhaps the lightning to 50 pin adapter remaps the serial pins. This would be useful when phones were returned to factory or whatever to be refurbished.

Its a joke that people have to jailbreak a phone that they paid hundreds for. Its almost as if you never properly own the iphone if you can’t install what you like on it.

Chris

I agree. It’s like buying a game system that allows the guy whom payed for the system to install Linux then the TRUE owner of the system comes back removes the feature and tells you to get stuffed. We don’t own things anymore, were not allowed too. We have to pay for them but we can’t use them as we wish, but I’m sure we all read that in the T.O.S that’s 100 pages long and you’d need a lawyer to read it to you in order to fully understand it :)

http://profiles.google.com/darren.meyer Darren Meyer

you never properly own the iphone if you can’t install what you like on it.

This is the most astute comment on this thread at the moment. The fact that you have to exploit a security flaw to use a portable computer as a real general-purpose computer is depressing.

Unfortunately, the relative “safety” of Apple’s closed ecosystem is exactly what most consumers want. I just wish Apple would have a way for a user to say “yes, I’m fine voiding my warranty and handling my own stability and security controls; release me from your jail.” Short of paying your $99 to get a developer Key, and fighting with code signing, that is.

Xplorer4x4

“Unfortunately, the relative “safety” of Apple’s closed ecosystem is exactly what most consumers want.”
Seeing as Anroid is out selling iPhones 4 to 1, and the Galaxy S3 is out selling them something like 2 to 1, I don’t think most consumers care about closed source vs open source.

chojin999

In you own fantasy dreams as well as Samsung managers dreams the Galaxy S3 is outselling the iPhone maybe.
In the real world, no.

You can jailbreak your phone and install whatever you want. Just don’t expect Apple to fix it for you if something goes wrong.

http://blog.firstdove.com/ Christian M. Z.

Users should never have to root or jailbreak their phones. Imagine how the world would be like if all our desktop OSes work the same way – you can use it, but expect no admin access. (some enterprise users may already experience this. Can’t install new software, can’t install hardware, sometimes driver installation is blocked, etc.)

http://www.facebook.com/skyler.hennessey.3 Skyler Hennessey

I will jailbreak the iphone 5 as soon as it comes out unactivated and it will be untethered

http://profiles.google.com/darren.meyer Darren Meyer

Apple’s security measures are characterized as a war on jailbreaking. That’s not really fair — the methods used by jailbreakers to gain lower-level control of the device are also security flaws that malicious attackers could leverage.

I don’t know Apple’s internal thoughts about jailbreaking, but even if they actively supported that community, they would and *should* still fix the holes the jailbreakers find.

Xplorer4x4

As I recall, Apple was pushing Congress(?) hard for it to be illegal to jailbreak/root devices. They ultimately lost but they were very vocal on trying to get this passed. I believe this happened with in the past 2 years.

smithson

this article is wrong on multiple accounts, you don’t seem to get the difference between hardware and software exploits and their relation to tethered and untethered jailbreaks

http://www.mrseb.co.uk/ Sebastian Anthony

If that’s the case, please leave a more informative comment — I (and the other readers) would of course like to learn more :)

That’s awesome how many hours talented people invest into jailbreaking the devices, and for free!

chojin999

How gullible people are nowadays.
Just like with “cooked”/custom firmwares for Android phones… the same applies to jailbroken firmware for Apple. As well as custom firmware for Sony PSP and so on.
It’s the same manufacturers that release “the cracks” on the internet.
It’s their employees that use endless number of nicknames, blogs and websites claiming to be “hackers” and “crackers” and 12 years old little kids geniuses and so on.
1) No one does anything for free
2) Reverse-engineering and cracking/hacking any encrypted and/or DRM protected hardware/software requires a lot of money, resources, knowledge and time. So it means that you need people with a lot of experience in the field, and they don’t work for free, none of them.
Also.. just for example.. Sony PSP custom firmwares… there even emulators for other consoles have been included in some of those over the years and as soon as Sony released a new firmware after 24/48 hours the custom version “magically appeared”.
And nowadays no one questions how is that even possible?
I get the fact that surely more than 90% of people even in the IT field claiming to be experts really don’t have a clue about the real difficulty of doing any of this stuff.. thinking that it’s just “a game for hackers” and “geniuses” and other silly childish nonsense.
But things don’t work that way in the real world. Not at all.

Xplorer4x4

I would love to see some sort of proof to back up these claims.You claim no one does this for free but that’s not quite true. For example, android rom chefs typically release the roms for free but usually have a paypal/donate link in there signature or post info. while not quite the same thing, I did some modding for an old PC game awhile back. It was mostly elaborating on a pre-existing but abandoned mod, but I still put hours of programming in to it, hours of updating skins for 3D models, an hour or two updating a map texture, and more. I spent countless hours improving on what was already a great mod and have seen thousands of downloads to it. I did it all for free, and am planning to return to modding soon! Again I will be working for free, but I do in case the download link in a URL shortened format from adf.ly. I haven’t had adf.ly in place long enough to judge it’s effectiveness but I am not expecting much. However, I am not forcing people to actually pay me out of pocket, and the mod has been available for probably a year or more prior to adding an adf.ly link.

http://blog.firstdove.com/ Christian M. Z.

How conceited some people are nowadays.

“…as soon as Sony released a new firmware after 24/48 hours the custom version “magically appeared”.

And nowadays no one questions how is that even possible?”

Why is that impossible? You do know that even as Sony does not “start from scratch” when they build new firmwares, neither do hacked firmware writers. They simply work from existing codebase and make the necessary changes. If you did any programming yourself you’d understand how it works.

1) No one does anything for free

Working for a reward doesn’t necessarily mean it has to do with money. Take a look at the enormous community at XDA-Developers. Do you really think all of these people releasing ROMs and kernels are employed and *paid* by OEMs? Many hackers do what they do because they receive another reward from their work; the satisfaction of overcoming limitations, the adoration of the others in the community, or even just for the feeling that he made a difference. Not every one thinks that being is a cynical bastard is the only way to live in this world.

Many hackers work in a group, just like professional programmers does in their daily lives. It cuts down the research and development time considerably. And as mentioned above, once you get the bulk of it down, any future updates involves relatively less work since you’re working off an existing codebase.

Personally I’ve spent over $20,000 and over 10 years of my life volunteering with a local non-profit. Much of the money and time was spent on producing and maintaining customized software solution and an online web presence supporting their community. Did I get paid with money? No. Did I get rewarded? Hell ya, the experience, knowledge gained and friendships earned from my time there was certainly rewarding, to say the least.

You’re not really aware the “real world”, just a selfish subsection of it that you’re obviously (and seemingly proudly) a member of.

http://www.microsourcing.com/ MicroSourcing

Jailbreaking has always been one of the primary issues that Apple and consumers have had to deal with. While Apple releases gadgets with more complex security measures, it seems like those who jailbreak iPhones are always one step ahead.

I’m not due an upgrade to the iPhone 5 for around another 6 months. If there isn’t an untethered jailbreak out by then (and there doesn’t look like one will be available soon/at all) I’ll seriously reconsider upgrading.

Pod2G will definitely going to jailbreak the Iphone5.
He has not even looked into it yet.
Apple will sell more devices when their devices are jailbroken.

Wats-up

They should try the lightning to 30-pin adapter and see what happens there…

Mag

Hate to nag, but how long is a long time? I’m planning on getting an iphone 5, and I’m counting on the possibility that the jailbreaking will actually happen, and not TOO long from now. I just hope I won’t yell later: ” Why didn’t I go for the S3?”

Use of this site is governed by our Terms of Use and Privacy Policy. Copyright 1996-2015 Ziff Davis, LLC.PCMag Digital Group All Rights Reserved. ExtremeTech is a registered trademark of Ziff Davis, LLC. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis, LLC. is prohibited.